In addition to the malleability attack (high-S and low-S both being valid for a given value of R), ECDSA doesn't provide a property called exclusive ownership: https://soatok.blog/2023/04/03/asymmetric-cryptographic-comm...

In contrast, EdDSA (which is based on Schorr signatures) does, by construction: the public key is included in one of the hashes, which binds the signature to a particular public key.

I haven't investigated whether cryptocurrency's use of Schnorr satisfies this property or not. (Indeed, I do not care about cryptocurrency at all.) So it's an exercise to the reader if it's satisfactory or not :3